[nsp-sec] PHP Botnets are fun. C&C's discovered

Stephen Gill gillsr at cymru.com
Tue Feb 5 16:46:27 EST 2008 

Hi Dave,

Nicely done!!

>    We've found some nice PHP botnets out there roaming around and
> providing UDP packet love (it is teh suck). We found the nice php bot files
> hosted in a variety of places. I don't have timestamps for the few
> dynamic IP's listed, but the majority of the info should be useable.
> 
> PHP script hosting
> ------------------
> 
> SHARKTECH INTERNET SERVICES - 64.32.13.169/ma.txt
> FREEWEBS                    - freewebs.com/larry123/bot.txt
> Ripside Interactive, Inc.   - h1.ripway.com/tsk4/botlogin.txt
> GOOGLE                      - joaobenner.googlepages.com/script2.txt
> GOOGLE                      - ownsirc.googlepages.com/botnet.txt
> GOOGLE                      - yahwek.dll.googlepages.com/phpbot1.txt
> GOOGLE                      - seideiaslegais.googlepages.com/own.txt
> EVERYDNS                    - kt.digital-poison.net/readme.txt
> Inames Co.                  - namhaesusan.hs.kr/bbs/.hd/raw.txt
> AFRAID.ORG NSes             - pucorp.org/pbot.txt
> www.californiasecession.org/discuss/images/themes/obb108/.jst/php.txt
> PrivacyProtect.org          - www.fxmsn.org/11.txt
> PrivacyProtect.org          - www.hackmsn.org/11.txt
> www.santiagoonline.com.ar/readme.txt

We have a system for automatically processing Unix/PHP(ish) based botnets of
a few flavors, including pBot.  If you can submit any RFI related malware
Urls (or any malware URLs for that matter) such as the above on a regular
basis, please let me know and we can send you the details of how and where
to send the URLs.  

All of the malware we run across is sorted by content, then parsed looking
for these types of C&Cs.  The C&Cs are extracted, and passed through
sharknarc automatically and summarized for manual review and vetting.  If
they pass the mustard, they get added to things like the ddos-rsv2.txt,
blackhole routeserver, and daily reports.  The malware URLs will also get
confirmed, and routed through daily reports for takedown assuming there is a
vetted contact behind a given ASN.

EG.  Of the Urls listed, the ones that were successfully retrieved turned up
these candidates:

pBot server maceioteam.servegame.com 6698
pBot server 64.32.13.143 6667
pBot server irc.mildnet.org 6667
pBot server 201.212.0.76 2328
pBot server arena.webchat.org 6667
pBot server irc.synapse.uk.to 6667
pBot server irc.deathwyrm.com 6667
pBot server Fbot.servegame.com 6698

-- 
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com

More information about the nsp-security mailing list